Re: restrict root access to physical console

To: debian-user@lists.debian.org
Subject: Re: restrict root access to physical console
From: kmself@ix.netcom.com
Date: Tue, 22 Aug 2000 14:31:21 -0700
Message-id: <20000822143120.B20073@ix.netcom.com>
Mail-followup-to: karsten, debian-user@lists.debian.org
In-reply-to: <4.3.2.20000822140011.00b6bc60@email.iolo.com>; from mike@iolo.com on Tue, Aug 22, 2000 at 02:05:14PM -0700
References: <4.3.2.20000822140011.00b6bc60@email.iolo.com>

On Tue, Aug 22, 2000 at 02:05:14PM -0700, Mike wrote:
> Hello:
> 
> Is there some way to restrict root access to the physical terminal 
> connected to my machine?  I recently had a server rooted and I'm starting 
> from scratch with serious security in mind.  If I did restrict root access 
> as above, would that successfully thwart root exploits?
> 
> Also, is there a Debian security HowTo anywhere?  I've looked and can only 
> find general linux info (which is good) and RedHat specific stuff.

The general situation should give you a good start.

You can disable logins to various ttys through securetty.

You can disable logins through telnet through its configuration
utilities.  Better off, disable and remove telnet and telnetd
altogether.

You can disable logins through other insecure services (ftp, etc.) as
well, though again, I'd generally advise you not to run these.

You can disable direct root login through ssh (which you *should* have
and use if you need remote access).  I would consider this a Good Thing,
as you then have an audit trail of which user was used to gain root
access.  Better yet, disable password access, and allow RSAkey
authentication from designated nodes and users only.

You *can* remove tools such as 'su' and 'sudo' which allow root to be
gained through an existing shell, though I don't generally recommend
this.  Some core functionality may require su, in particular (cron jobs,
usually).  You can limit access by setting execute privileges to
specified groups or users. 

Generally speaking, rooting a box isn't done by logging in remotely,
it's by utilizing an existing exploit on a system.  You can minimize
these risks by reducing the number of services you host, restricting
access to these through tcpwrappers (/etc/hosts.allow, /etc/hosts.deny),
firewalls, and eternal vigilance.

Specific security reference:  Wes Sonnenreich and Tom Yates, _Building
Linux and OpenBSD Firewalls_.  Aside from a really good guide on
building firewalls, it's also a strong general reference on network
security.  Strongly recommended.

-- 
Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Opensales, Inc.                    http://www.opensales.org
  What part of "Gestalt" don't you understand?   Debian GNU/Linux rocks!
   http://gestalt-system.sourceforge.net/    K5: http://www.kuro5hin.org
GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0

Attachment: pgpB9d5XYE3Z3.pgp
Description: PGP signature

Reply to:

References:
- restrict root access to physical console
  - From: Mike <mike@iolo.com>

Prev by Date: Re: slow inetd
Next by Date: Re: restrict root access to physical console
Previous by thread: restrict root access to physical console
Next by thread: Re: restrict root access to physical console
Index(es):
- Date
- Thread